A deep inside look at digital security threats and human behavior through various verticals. “Business firms seem to have forgotten that hackers target human vulnerability and weakness to break the organization,” says Rohyt Belani, Co-founder and CEO, PhishMe. “According to Belani, 95 percent of the organizations use the wrong mechanism to ensure security and do not train humans to be vigilant about the attacks.”Read More

People are often curious about what percentage of users will fall for a phishing attack, and it’s tempting to try to create this kind of statistic. At PhishMe, we’ve found that trying to assign a blanket statistic is counterproductive – however this hasn’t stopped others in the industry from trying to do so. The most recent company to try is Intel Security (formerly McAfee), which declared that 97% of people globally were unable to correctly identify phishing emails. While this statistic certainly makes for a nice headline, it is broad-based and flawed in a number of ways.

The recent Carefirst breach is just the latest in a rash of large-scale healthcare breaches, but the prevailing notion in the aftermath of this breach is that it isn’t as severe as the Anthem or Premera breaches that preceded it. The thinking is that the victims of this breach dodged a bullet here, since attackers only accessed personal information such as member names and email addresses, not more sensitive information like medical information, social security numbers, and passwords. However, attackers may still be able to use this partial information in a variety of ways, and a partial breach should not be dismissed as trivial.

A few weeks ago, we received a round of phishing emails with malware that seemed a little more special than your run-of-the-mill ZeuS, so we decided to give it some analysis. The email was reported by a user at PhishMe. We really do drink our own kool-aid. Figure 1 shows a screenshot of the email that is being analyzed.

Watering-hole attacks have been established as an effective attack technique for a while now. As the industry has analyzed some prominent examples, many have come to the conclusion that watering-holes present an alternative to spear phishing.

“Targeted attacks no longer rely as heavily on spear-phishing attacks in order to penetrate an organization’s defenses. More recently the attackers have expanded their tactics to include watering-hole attacks, which are legitimate websites that have been compromised for the purpose of installing targeted malware onto the victim’s computer.”

At PhishMe, we feel like we’ve done a pretty good job of debunking the idea that you can address the spear phishing threat using the pentest model, but after reading this Washington Post story about a phishing test gone awry, it looks like we still have some work to do.

In this test, an Army combat commander sent an email to a “small group” of Army employees disguised as an email from their retirement plan provider urging them to log in to their accounts. The email used the name of Thrift Savings Plan, the actual 401(k) account provider for most federal employees, and provided no indication that it was a simulated phishing exercise, causing a panic across the DoD as concerned recipients shared the email with colleagues and flooded the Thrift Savings Plan customer support line. It took nearly three weeks for the Pentagon to trace the origin of the email.

A Target spokesperson confirmed last week that attackers initially gained access to the company systems through stolen credentials obtained through a vendor. While Target has not confirmed the exact method through which the credentials were stolen, one possible scenario is that attackers sent a spear-phishing email to the vendor, obtained valid login credentials for Target, and used those credentials to gain a foothold in Target’s network.

Punishing users for undesired security behavior? We believe that punishing users is a misguided idea that will alienate them and make it difficult to ever improve user security behavior. Every so often, someone in the industry brings up the idea of punishing users as a way of motivating/improving behavior. We hadn’t heard much on this topic since we wrote a post on it back in September; however, it has flared up again.

I’m often asked which employees are most likely to be targeted by phishing emails. It’s interesting to think about, but the truth is that adversaries will target whichever employees can offer access to the enterprise’s network—and that could potentially be anyone in your organization. Recent research from ProofPoint confirmed this, finding that staff-level employees were targeted by phishing attacks more often than middle and executive management.

The takeaway here is that for security awareness to be effective, it needs to include everyone in your organization. Aside from the obvious security necessity, including the entire organization in your security awareness initiatives enhances your program in a number of ways.

During my years at Mandiant, I responded to a lot of breaches for a wide variety of organizations. Every breach case had one thing in common – the customer was compliant.

Addressing security threats requires a new direction from the mindset that compliance equals security.

While compliance is a requirement for many organizations, compliance does not equal security. I was recently talking to a CISO who has divided his department into two teams – one focused on security and the other focused on compliance. The security team deals with emerging threats to the network, while the compliance team deals with regulations. It’s an interesting strategy, and one that reflects how separate compliance and security concerns have become.

Security awareness has traditionally been associated with the compliance side of security, but to be truly effective, it needs to focus on current threats and evolve with the threat landscape.